Redis Database Open to Attack

Tuesday, July 12, 2016 @ 01:07 PM gHale

The Redis database servers are vulnerable to attack in a big way, researchers said.

Redis is a NoSQL database server good for storing data in the key-value format, using an in-memory system for handling the data and subsequent queries. Redis ranked tenth in terms of usage and popularity in 2015, according to DB-Engines.

The goal behind Redis was all about performance, and the problem is in a default configuration, the database doesn’t feature any type of authentication or other hardened security features, said researchers at Risk Based Security (RBS).

This means that anyone can access its content just by knowing its IP and port. Toward the end of 2015, an exploit appeared that allowed a third-party to store an SSH key in the authorized_keys file of any Redis server that doesn’t have an authentication system put in place, researchers said.

There are over 30,000 Redis database servers without any authentication available online. According to RBS researchers, 6,338 of these servers suffered compromise.

RBS came to this conclusion after performing a scan using Shodan. RBS researchers’ interest peaked when they found a hacked server that featured the “crackit” SSH key, attached to an email address they previously encountered in other incidents.

Scanning Shodan for open Redis servers that featured non-standard SSH keys, researchers found 5,892 instances of SSH keys tied to the one email address. They also found 385 keys for a different email and and 211 keys for one other email.

The most common non-standard keys were “crackit,” “crackit_key,” “qwe,” “ck,” and “crack,” In total, RBS found 14 unique emails and 40 unique SSH keys combos. As RBS explained, these compromises looked to be the work of multiple groups or individuals.

As for compromised Redis database versions, researchers found 106 different versions, ranging from the very early 1.2.0 version up to the latest release, 3.2.1.

“While we were unable to get anyone to go on the record, it appears from our analysis that we have confirmation of two things, the first being that this is not a new issue, and second, some servers are sitting out there infected and are not being utilized for anything malicious,” RBS researchers said.

RBS said webmasters should update their Redis databases to the most recent version and activate “protected mode,” a security feature introduced in Redis with version 3.2.